import tempfile
import base64
import traceback
+from tempfile import mkstemp
+
from OpenSSL import crypto
import M2Crypto
from M2Crypto import X509
-from tempfile import mkstemp
-from sfa.util.sfalogging import logger
+
+import sfa.util.sfalogging
from sfa.util.namespace import urn_to_hrn
from sfa.util.faults import *
# Verify a chain of certificates. Each certificate must be signed by
# the public key contained in it's parent. The chain is recursed
# until a certificate is found that is signed by a trusted root.
- # TODO: verify expiration time
- #print "====Verify Chain====="
+
+ # verify expiration time
+ if self.cert.has_expired():
+ raise CertExpired(self.get_subject(), "client cert")
+
# if this cert is signed by a trusted_cert, then we are set
for trusted_cert in trusted_certs:
- #print "***************"
- # TODO: verify expiration of trusted_cert ?
- #print "CLIENT CERT", self.dump()
- #print "TRUSTED CERT", trusted_cert.dump()
- #print "Client is signed by Trusted?", self.is_signed_by_cert(trusted_cert)
if self.is_signed_by_cert(trusted_cert):
- logger.debug("Cert %s signed by trusted cert %s", self.get_subject(), trusted_cert.get_subject())
- return trusted_cert
+ sfa.util.sfalogging.logger.debug("Cert %s signed by trusted cert %s", self.get_subject(), trusted_cert.get_subject())
+ # verify expiration of trusted_cert ?
+ if not trusted_cert.cert.has_expired():
+ return trusted_cert
+ else:
+ sfa.util.sfalogging.logger.debug("Trusted cert %s is expired", trusted_cert.get_subject())
# if there is no parent, then no way to verify the chain
if not self.parent: